OMV6 connect to windows 2012 Active Directory

donh · 8. Oktober 2021

I have a 6 beta connected to my ad server. I used this and may have made some edits. RE: Active Directory / LDAP Revisited Users and groups show in shares etc. I can access and open files but not save them yet. When I try to add security = ads to smb extras in the web ui I get a 500 internal server error. Diagnostics only shows "Please apply the config change first".

As far as I can see security = ads is still a valid argunent. https://www.samba.org/samba/do…/man-html/smb.conf.5.html

Thanks

ryecoaaron · 8. Oktober 2021

Assuming security = ads is in the smb section of config.xml, what is the output of: omv-salt deploy run samba

donh · 8. Oktober 2021

Here is the output.

Code

debian:
----------
          ID: configure_samba_global
    Function: file.managed
        Name: /etc/samba/smb.conf
      Result: True
     Comment: File /etc/samba/smb.conf updated
     Started: 13:38:15.729692
    Duration: 123.584 ms
     Changes:   
              ----------
              diff:
                  --- 
                  +++ 
                  @@ -41,33 +41,3 @@
                   password server = dexta.example.com
                   realm = EXAMPLE.COM
                   security = ads
                  -#======================= Share Definitions =======================
                  -[sdb]
                  -path = /srv/dev-disk-by-uuid-dddc6d8d-cbc7-4e9b-8652-8e26308b0769/
                  -guest ok = no
                  -guest only = no
                  -read only = no
                  -browseable = yes
                  -inherit acls = yes
                  -inherit permissions = yes
                  -ea support = yes
                  -store dos attributes = yes
                  -fruit:encoding = private
                  -fruit:locking = none
                  -fruit:metadata = netatalk
                  -fruit:resource = file
                  -fruit:time machine = yes
                  -vfs objects =  fruit streams_xattr
                  -printable = no
                  -create mask = 0664
                  -force create mode = 0664
                  -directory mask = 0775
                  -force directory mode = 0775
                  -hide special files = yes
                  -follow symlinks = yes
                  -hide dot files = yes
                  -valid users = "don","administrator@example.com","donadmin@example.com","dexample@example.com","scanuser@example.com","jexample@example.com",@"domain users@example.com"
                  -invalid users = "nobody","sm_00896c44e6ca4e378@example.com","sm_92aebd7159514eedb@example.com","sm_4de0cc3fd712416ea@example.com","krbtgt@example.com","guest@example.com","sm_c69700aeff494c3d9@example.com",@"nogroup",@"exchange windows permissions@example.com",@"exchangelegacyinterop@example.com",@"server management@example.com",@"delegated setup@example.com",@"um management@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-512@example.com",@"winrmremotewmiusers__@example.com",@"wseremoteaccessusers@example.com",@"group policy creator owners@example.com",@"view-only organization management@example.com",@"cloneable domain controllers@example.com",@"hygiene management@example.com",@"protected users@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-1113@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-1106@example.com",@"recipient management@example.com",@"wseallowdashboardaccess@example.com",@"wseinvisibletodashboard@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-1107@example.com",@"read-only domain controllers@example.com",@"enterprise admins@example.com",@"wseallowcomputeraccess@example.com",@"dnsadmins@example.com",@"cert publishers@example.com",@"domain admins@example.com",@"organization management@example.com",@"exchange servers@example.com",@"wseallowshareaccess@example.com",@"dhcp users@example.com",@"records management@example.com",@"wsealertadministrators@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-514@example.com",@"denied rodc password replication group@example.com",@"dhcp administrators@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-519@example.com",@"domain guests@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-1110@example.com",@"wseremotewebaccessusers@example.com",@"wseallowaddinaccess@example.com",@"wseallowhomepagelinks@example.com",@"exchange trusted subsystem@example.com",@"$i31000-q93gr5525bp9@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-1108@example.com",@"discovery management@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-1109@example.com",@"allowed rodc password replication group@example.com",@"exchange all hosted organizations@example.com",@"public folder management@example.com",@"dnsupdateproxy@example.com",@"wseallowmediaaccess@example.com",@"help desk@example.com",@"domain controllers@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-513@example.com",@"domain computers@example.com",@"schema admins@example.com",@"ras and ias servers@example.com",@"wsemanagedgroups@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-1111@example.com",@"enterprise read-only domain controllers@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-518@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-1112@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-1105@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-572@example.com"
                  -read list = "administrator@example.com"
                  -write list = "don","donadmin@example.com","dexample@example.com","scanuser@example.com","jexample@example.com",@"domain users@example.com"
                  -
----------
          ID: configure_samba_shares
    Function: file.append
        Name: /etc/samba/smb.conf
      Result: True
     Comment: Appended 30 lines
     Started: 13:38:15.853580
    Duration: 767.317 ms
     Changes:   
              ----------
              diff:
                  --- 
                  
                  +++ 
                  
                  @@ -41,3 +41,33 @@
                  
                   password server = dexta.example.com
                   realm = EXAMPLE.COM
                   security = ads
                  +#======================= Share Definitions =======================
                  +[sdb]
                  +path = /srv/dev-disk-by-uuid-dddc6d8d-cbc7-4e9b-8652-8e26308b0769/
                  +guest ok = no
                  +guest only = no
                  +read only = no
                  +browseable = yes
                  +inherit acls = yes
                  +inherit permissions = yes
                  +ea support = yes
                  +store dos attributes = yes
                  +fruit:encoding = private
                  +fruit:locking = none
                  +fruit:metadata = netatalk
                  +fruit:resource = file
                  +fruit:time machine = yes
                  +vfs objects =  fruit streams_xattr
                  +printable = no
                  +create mask = 0664
                  +force create mode = 0664
                  +directory mask = 0775
                  +force directory mode = 0775
                  +hide special files = yes
                  +follow symlinks = yes
                  +hide dot files = yes
                  +valid users = "don","administrator@example.com","donadmin@example.com","dexample@example.com","scanuser@example.com","jexample@example.com",@"domain users@example.com"
                  +invalid users = "nobody","sm_00896c44e6ca4e378@example.com","sm_92aebd7159514eedb@example.com","sm_4de0cc3fd712416ea@example.com","krbtgt@example.com","guest@example.com","sm_c69700aeff494c3d9@example.com",@"nogroup",@"exchange windows permissions@example.com",@"exchangelegacyinterop@example.com",@"server management@example.com",@"delegated setup@example.com",@"um management@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-512@example.com",@"winrmremotewmiusers__@example.com",@"wseremoteaccessusers@example.com",@"group policy creator owners@example.com",@"view-only organization management@example.com",@"cloneable domain controllers@example.com",@"hygiene management@example.com",@"protected users@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-1113@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-1106@example.com",@"recipient management@example.com",@"wseallowdashboardaccess@example.com",@"wseinvisibletodashboard@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-1107@example.com",@"read-only domain controllers@example.com",@"enterprise admins@example.com",@"wseallowcomputeraccess@example.com",@"dnsadmins@example.com",@"cert publishers@example.com",@"domain admins@example.com",@"organization management@example.com",@"exchange servers@example.com",@"wseallowshareaccess@example.com",@"dhcp users@example.com",@"records management@example.com",@"wsealertadministrators@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-514@example.com",@"denied rodc password replication group@example.com",@"dhcp administrators@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-519@example.com",@"domain guests@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-1110@example.com",@"wseremotewebaccessusers@example.com",@"wseallowaddinaccess@example.com",@"wseallowhomepagelinks@example.com",@"exchange trusted subsystem@example.com",@"$i31000-q93gr5525bp9@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-1108@example.com",@"discovery management@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-1109@example.com",@"allowed rodc password replication group@example.com",@"exchange all hosted organizations@example.com",@"public folder management@example.com",@"dnsupdateproxy@example.com",@"wseallowmediaaccess@example.com",@"help desk@example.com",@"domain controllers@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-513@example.com",@"domain computers@example.com",@"schema admins@example.com",@"ras and ias servers@example.com",@"wsemanagedgroups@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-1111@example.com",@"enterprise read-only domain controllers@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-518@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-1112@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-1105@example.com",@"s-1-5-21-2781488526-1165096633-3670503853-572@example.com"
                  +read list = "administrator@example.com"
                  +write list = "don","donadmin@example.com","dexample@example.com","scanuser@example.com","jexample@example.com",@"domain users@example.com"
                  +
----------
          ID: configure_samba_recyclebin_cron
    Function: file.managed
        Name: /etc/cron.daily/openmediavault-samba-recycle
      Result: True
     Comment: File /etc/cron.daily/openmediavault-samba-recycle is in the correct state
     Started: 13:38:16.621158
    Duration: 3.779 ms
     Changes:   
----------
          ID: remove_samba_recyclebin_cron_scripts
    Function: module.run
      Result: True
     Comment: file.find: []
     Started: 13:38:16.626297
    Duration: 2.204 ms
     Changes:   
              ----------
              file.find:
----------
          ID: configure_default_wsdd
    Function: file.managed
        Name: /etc/default/wsdd
      Result: True
     Comment: File /etc/default/wsdd is in the correct state
     Started: 13:38:16.628691
    Duration: 3.348 ms
     Changes:   
----------
          ID: divert_default_wsdd
    Function: omv_dpkg.divert_add
        Name: /etc/default/wsdd
      Result: True
     Comment: Leaving 'local diversion of /etc/default/wsdd to /etc/default/wsdd.distrib'
     Started: 13:38:16.632854
    Duration: 30.3 ms
     Changes:   
----------
          ID: divert_samba_smb_config
    Function: omv_dpkg.divert_add
        Name: /etc/samba/smb.conf
      Result: True
     Comment: Leaving 'local diversion of /etc/samba/smb.conf to /etc/samba/smb.conf.distrib'
     Started: 13:38:16.663669
    Duration: 34.013 ms
     Changes:   
----------
          ID: test_samba_service_config
    Function: cmd.run
        Name: samba-tool testparm --suppress-prompt
      Result: True
     Comment: Command "samba-tool testparm --suppress-prompt" run
     Started: 13:38:16.700812
    Duration: 181.554 ms
     Changes:   
              ----------
              pid:
                  68237
              retcode:
                  0
              stderr:
                  INFO: Current debug levels:
                    all: 10
                    tdb: 10
                    printdrivers: 10
                    lanman: 10
                    smb: 10
                    rpc_parse: 10
                    rpc_srv: 10
                    rpc_cli: 10
                    passdb: 10
                    sam: 10
                    auth: 10
                    winbind: 10
                    vfs: 10
                    idmap: 10
                    quota: 10
                    acls: 10
                    locking: 10
                    msdfs: 10
                    dmapi: 10
                    registry: 10
                    scavenger: 10
                    dns: 10
                    ldb: 10
                    tevent: 10
                    auth_audit: 10
                    auth_json_audit: 10
                    kerberos: 10
                    drs_repl: 10
                    smb2: 10
                    smb2_credits: 10
                    dsdb_audit: 10
                    dsdb_json_audit: 10
                    dsdb_password_audit: 10
                    dsdb_password_json_audit: 10
                    dsdb_transaction_audit: 10
                    dsdb_transaction_json_audit: 10
                    dsdb_group_audit: 10
                    dsdb_group_json_audit: 10
                  lpcfg_do_global_parameter: WARNING: The "encrypt passwords" option is deprecated
                  lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated
                  Processing section "[sdb]"
                  pm_process() returned Yes
                  INFO 2021-10-08 13:38:16,867 pid:68237 /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96: Loaded smb config files from /etc/samba/smb.conf
                  INFO 2021-10-08 13:38:16,867 pid:68237 /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97: Loaded services file OK.
              stdout:
                  # Global parameters
                  [global]
                      client use spnego = Yes
                      disable spoolss = Yes
                      encrypt passwords = Yes
                      guest account = nobody
                      kerberos method = secrets and keytab
                      log file = /var/log/samba/log.%m
                      logging = syslog
                      log level = 10
                      max log size = 1000
                      pam password change = Yes
                      panic action = /usr/share/samba/panic-action %d
                      passdb backend = tdbsam
                      passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
                      passwd program = /usr/bin/passwd %u
                      password server = dexta.example.com
                      printcap name = /dev/null
                      realm = EXAMPLE.COM
                      security = ADS
                      server string = %h server
                      socket options = TCP_NODELAY IPTOS_LOWDELAY
                      unix extensions = Yes
                      workgroup = EXAMPLE
                      fruit:aapl = yes
                      aio read size = 16384
                      aio write size = 16384
                      create mask = 0777
                      directory mask = 0777
                      use sendfile = Yes
                  
                  [sdb]
                      create mask = 0664
                      directory mask = 0775
                      force create mode = 0664
                      force directory mode = 0775
                      hide special files = Yes
                      inherit acls = Yes
                      inherit permissions = Yes
                      invalid users = nobody sm_00896c44e6ca4e378@example.com sm_92aebd7159514eedb@example.com sm_4de0cc3fd712416ea@example.com krbtgt@example.com guest@example.com sm_c69700aeff494c3d9@example.com @nogroup "@exchange windows permissions@example.com" @exchangelegacyinterop@example.com "@server management@example.com" "@delegated setup@example.com" "@um management@example.com" @s-1-5-21-2781488526-1165096633-3670503853-512@example.com @winrmremotewmiusers__@example.com @wseremoteaccessusers@example.com "@group policy creator owners@example.com" "@view-only organization management@example.com" "@cloneable domain controllers@example.com" "@hygiene management@example.com" "@protected users@example.com" @s-1-5-21-2781488526-1165096633-3670503853-1113@example.com @s-1-5-21-2781488526-1165096633-3670503853-1106@example.com "@recipient management@example.com" @wseallowdashboardaccess@example.com @wseinvisibletodashboard@example.com @s-1-5-21-2781488526-1165096633-3670503853-1107@example.com "@read-only domain controllers@example.com" "@enterprise admins@example.com" @wseallowcomputeraccess@example.com @dnsadmins@example.com "@cert publishers@example.com" "@domain admins@example.com" "@organization management@example.com" "@exchange servers@example.com" @wseallowshareaccess@example.com "@dhcp users@example.com" "@records management@example.com" @wsealertadministrators@example.com @s-1-5-21-2781488526-1165096633-3670503853-514@example.com "@denied rodc password replication group@example.com" "@dhcp administrators@example.com" @s-1-5-21-2781488526-1165096633-3670503853-519@example.com "@domain guests@example.com" @s-1-5-21-2781488526-1165096633-3670503853-1110@example.com @wseremotewebaccessusers@example.com @wseallowaddinaccess@example.com @wseallowhomepagelinks@example.com "@exchange trusted subsystem@example.com" @$i31000-q93gr5525bp9@example.com @s-1-5-21-2781488526-1165096633-3670503853-1108@example.com "@discovery management@example.com" @s-1-5-21-2781488526-1165096633-3670503853-1109@example.com "@allowed rodc password replication group@example.com" "@exchange all hosted organizations@example.com" "@public folder management@example.com" @dnsupdateproxy@example.com @wseallowmediaaccess@example.com "@help desk@example.com" "@domain controllers@example.com" @s-1-5-21-2781488526-1165096633-3670503853-513@example.com "@domain computers@example.com" "@schema admins@example.com" "@ras and ias servers@example.com" @wsemanagedgroups@example.com @s-1-5-21-2781488526-1165096633-3670503853-1111@example.com "@enterprise read-only domain controllers@example.com" @s-1-5-21-2781488526-1165096633-3670503853-518@example.com @s-1-5-21-2781488526-1165096633-3670503853-1112@example.com @s-1-5-21-2781488526-1165096633-3670503853-1105@example.com @s-1-5-21-2781488526-1165096633-3670503853-572@example.com
                      path = /srv/dev-disk-by-uuid-dddc6d8d-cbc7-4e9b-8652-8e26308b0769/
                      read list = administrator@example.com
                      read only = No
                      valid users = don administrator@example.com donadmin@example.com dexample@example.com scanuser@example.com jexample@example.com "@domain users@example.com"
                      vfs objects = fruit streams_xattr
                      write list = don donadmin@example.com dexample@example.com scanuser@example.com jexample@example.com "@domain users@example.com"
                      fruit:time machine = yes
                      fruit:resource = file
                      fruit:metadata = netatalk
                      fruit:locking = none
                      fruit:encoding = private
----------
          ID: start_samba_service
    Function: service.running
        Name: smbd
      Result: False
     Comment: Job for smbd.service failed because the control process exited with error code.
              See "systemctl status smbd.service" and "journalctl -xe" for details.
     Started: 13:38:17.503446
    Duration: 463.467 ms
     Changes:   
----------
          ID: start_samba_service_nmbd
    Function: service.running
        Name: nmbd
      Result: False
     Comment: One or more requisite failed: omv.deploy.samba.default.start_samba_service
     Started: 13:38:17.968921
    Duration: 0.017 ms
     Changes:   
----------
          ID: start_wsdd_service
    Function: service.running
        Name: wsdd
      Result: True
     Comment: Service wsdd is already enabled, and is running
     Started: 13:38:17.969107
    Duration: 200.994 ms
     Changes:   
              ----------
              wsdd:
                  True

Summary for debian
------------
Succeeded: 9 (changed=5)
Failed:    2
------------
Total states run:    11
Total run time:   1.811 s
root@omv6:~#

Alles anzeigen

Sorry for the formatting if it didn't work.

smbd not starting is the problem.

Code

root@omv6:~# systemctl status smbd.service
● smbd.service - Samba SMB Daemon
     Loaded: loaded (/lib/systemd/system/smbd.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Fri 2021-10-08 13:38:18 MDT; 15min ago
       Docs: man:smbd(8)
             man:samba(7)
             man:smb.conf(5)
    Process: 68280 ExecStartPre=/usr/share/samba/update-apparmor-samba-profile (code=exited, status=0/SUCCESS)
    Process: 68287 ExecStart=/usr/sbin/smbd --foreground --no-process-group $SMBDOPTIONS (code=exited, status=255/EXCEPTION)
   Main PID: 68287 (code=exited, status=255/EXCEPTION)
     Status: "Starting process..."
        CPU: 214ms

Oct 08 13:38:18 omv6 smbd[68287]: [2021/10/08 13:38:18.432590,  5, pid=68287, effective(0, 0), real(0, 0)] ../../source3/passdb/pdb_util.c:205(create_builtin_guests)
Oct 08 13:38:18 omv6 smbd[68287]:   create_builtin_guests: Failed to create Guests
Oct 08 13:38:18 omv6 smbd[68287]: [2021/10/08 13:38:18.432667,  4, pid=68287, effective(0, 0), real(0, 0)] ../../source3/smbd/sec_ctx.c:437(pop_sec_ctx)
Oct 08 13:38:18 omv6 smbd[68287]:   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
Oct 08 13:38:18 omv6 smbd[68287]: [2021/10/08 13:38:18.432741,  3, pid=68287, effective(0, 0), real(0, 0)] ../../source3/auth/token_util.c:786(finalize_local_nt_token)
Oct 08 13:38:18 omv6 smbd[68287]:   Failed to check for local Guests membership (NT_STATUS_INVALID_PARAMETER_MIX)
Oct 08 13:38:18 omv6 smbd[68287]: [2021/10/08 13:38:18.432827,  0, pid=68287, effective(0, 0), real(0, 0), class=auth] ../../source3/auth/auth_util.c:1410(make_new_session_inf>
Oct 08 13:38:18 omv6 smbd[68287]:   create_local_token failed: NT_STATUS_INVALID_PARAMETER_MIX
Oct 08 13:38:18 omv6 smbd[68287]: [2021/10/08 13:38:18.432907,  0, pid=68287, effective(0, 0), real(0, 0)] ../../source3/smbd/server.c:2052(main)
Oct 08 13:38:18 omv6 smbd[68287]:   ERROR: failed to setup guest info.

Alles anzeigen

Thanks

donh · 8. Oktober 2021

Code

Here is samba testparm.



root@omv6:~# samba testparm
INFO: Current debug levels:
  all: 10
  tdb: 10
  printdrivers: 10
  lanman: 10
  smb: 10
  rpc_parse: 10
  rpc_srv: 10
  rpc_cli: 10
  passdb: 10
  sam: 10
  auth: 10
  winbind: 10
  vfs: 10
  idmap: 10
  quota: 10
  acls: 10
  locking: 10
  msdfs: 10
  dmapi: 10
  registry: 10
  scavenger: 10
  dns: 10
  ldb: 10
  tevent: 10
  auth_audit: 10
  auth_json_audit: 10
  kerberos: 10
  drs_repl: 10
  smb2: 10
  smb2_credits: 10
  dsdb_audit: 10
  dsdb_json_audit: 10
  dsdb_password_audit: 10
  dsdb_password_json_audit: 10
  dsdb_transaction_audit: 10
  dsdb_transaction_json_audit: 10
  dsdb_group_audit: 10
  dsdb_group_json_audit: 10
lpcfg_do_global_parameter: WARNING: The "encrypt passwords" option is deprecated
lpcfg_do_global_parameter: WARNING: The "client use spnego" option is deprecated
Processing section "[sdb]"
pm_process() returned Yes
root@omv6:~#

Alles anzeigen

donh · 9. Oktober 2021

Seems the problem is with the way ownership of the file is assigned. Maybe due to the space in "domain user@" in the group?

donh · 9. Oktober 2021

You can see the problem by looking at omvIP/#/usermgmt/groups/create. Try to create a group for "test user". Turns red and wont save. I don't know if other "special characters" are effected.

ryecoaaron · 9. Oktober 2021

Zitat von donh

smbd not starting is the problem.

According to Red Hat, you might have to add some idmap configuration. This is what the posted solution was:

1) Ensure the id map is configured in smb.conf, like:

Code

[global]
...
idmap config * : backend = tdb
idmap config * : range 10000-199999
idmap config DOMAIN : backend = autorid
idmap config DOMAIN : range = 200000-2147483647

2) Map group BUILTIN\Guests to group nobody with following command:

Code

# net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin

3) Restart samba services and replicate the issue:

Code

# systemctl restart {smb,nmb}
# smbclient //$(hostname)/<share> -U DOMAIN\\<user> -d10

donh · 10. Oktober 2021

Zitat von ryecoaaron
According to Red Hat, you might have to add some idmap configuration. This is what the posted solution was:

1) Ensure the id map is configured in smb.conf, like:
Code
[global]
...
idmap config * : backend = tdb
idmap config * : range 10000-199999
idmap config DOMAIN : backend = autorid
idmap config DOMAIN : range = 200000-2147483647
2) Map group BUILTIN\Guests to group nobody with following command:
Code
# net -s /dev/null groupmap add sid=S-1-5-32-546 unixgroup=nobody type=builtin
3) Restart samba services and replicate the issue:
Code
# systemctl restart {smb,nmb}
# smbclient //$(hostname)/<share> -U DOMAIN\\<user> -d10

Thanks for the reply. Can you post a link to that article?

ryecoaaron · 10. Oktober 2021

Zitat von donh

Can you post a link to that article?

I copied everything from it since you have to have a redhat account (I do) to see it. But here is the link - https://access.redhat.com/solutions/4367771

donh · 10. Oktober 2021

OK thanks. Will try later. It is working sort of without that. Problem seems to be groups not working correctly. This may help.

donh · 10. Oktober 2021

From the man page linked in omv6/#/services/smb/settings

Code

IDENTITY MAPPING CONSIDERATIONS

In the SMB protocol, users, groups, and machines are represented by their security identifiers (SIDs). On POSIX system Samba processes need to run under corresponding POSIX user identities and with supplemental POSIX groups to allow access to the files owned by those users and groups. The process of mapping SIDs to POSIX users and groups is called IDENTITY MAPPING or, in short, ID MAPPING.

Samba supports multiple ways to map SIDs to POSIX users and groups. The configuration is driven by the idmap config DOMAIN : OPTION option which allows one to specify identity mapping (idmap) options for each domain separately.

Identity mapping modules implement different strategies for mapping of SIDs to POSIX user and group identities. They are applicable to different use cases and scenarios. It is advised to read the documentation of the individual identity mapping modules before choosing a specific scenario to use. Each identity management module is documented in a separate manual page. The standard idmap backends are tdb (idmap_tdb(8)), tdb2 (idmap_tdb2(8)), ldap (idmap_ldap(8)), rid (idmap_rid(8)), hash (idmap_hash(8)), autorid (idmap_autorid(8)), ad (idmap_ad(8)), nss (idmap_nss(8)), and rfc2307 (idmap_rfc2307(8)).

Overall, ID mapping configuration should be decided carefully. Changes to the already deployed ID mapping configuration may create the risk of losing access to the data or disclosing the data to the wrong parties.

This example shows how to configure two domains with idmap_rid(8), the principal domain and a trusted domain, leaving the default id mapping scheme at tdb.

    [global]
    
    workgroup = MAIN

    idmap config * : backend        = tdb
    idmap config * : range          = 1000000-1999999

    idmap config MAIN : backend     = rid
    idmap config MAIN : range       = 5000000-5999999

    idmap config TRUSTED : backend  = rid
    idmap config TRUSTED : range    = 6000000-6999999
   ...

Alles anzeigen

Code

security = domain  ### in "Extra options"

Causes server error 500 as above. So catch 22, back to the above.

Thanks

donh · 10. Oktober 2021

This might be useful for this or other things that get set by omv scripts.

https://serverfault.com/questi…-to-smb-conf-via-a-script

Will try later.

Thanks

FYI /etc/samba/smb.d/ad.conf does work. But not for security = domain. Tested by moving settings from extra options to ad.conf and adding the include in extra options. Tested on 5 and 6.

donh · 11. Oktober 2021

Opened a github issue. https://github.com/openmediavault/openmediavault/issues/1109

mi-hol · 11. Oktober 2021

Zitat von donh

Opened a github issue. https://github.com/openmediavault/openmediavault/issues/1109

For good reasons a template for issue reports was created but not used for this case.

Volker usually refuses to read long forum threads.

May I suggest to close & reopen it using the template?

donh · 11. Oktober 2021

Where is this template? Never used one before.

Thanks

mi-hol · 11. Oktober 2021

its used when you select option "bug report"

donh · 11. Oktober 2021

Hm it just came up blank before. Anyway will fill it out.

Thanks

New issue https://github.com/openmediavault/openmediavault/issues/1110

mi-hol · 11. Oktober 2021

Zitat von donh

Hm it just came up blank before.

maybe due to a temporary outage or slow response. Issue templates are in use for OMV since :

Update issue templates committed on Dec 16, 2020

Thanks for the new issue, would you mind to move the forum link to the section "

Reference to Forum

URL link to forum post"?

The first part until "Describe the bug" can be removed

donh · 9. November 2021

Well it seems to be working now. Seems security = ads was not needed. Will reproduce and post refined directions when I get a chance.

mi-hol · 10. November 2021

good to hear, I've closed the related issue in github

Jetzt mitmachen!